Cracking down on digital ad fraud may seem like a hopeless and expensive game of whack-a-mole, but there are ways marketers and publishers can arm themselves better to fight it.

Digital ad fraud is a volume game. There are two core types: fraudulent ad impressions on any device, and click fraud — aka CPM and CPC fraud. Each type relies on volume, and that’s why there are a whole bunch of techniques used to drive large volumes of fraudulent impressions and clicks. That’s where the long list of confusing terms comes in — anything from click installs to ad stacking, and ad injection.

“Marketers feel paralyzed by the fear that fraud is so hard to unpick that they can’t do it, and it’s easier to believe it doesn’t affect them,” said Augustine Fou, anti-fraud and security researcher. “Or they think it’s priced in, but it’s not. There is so much misconception out there.”

Fraudsters follow the money, and with an increasingly large chunk of the digital ad budgets going to mobile globally, marketing teams need to ensure they’re fraud-savvy. Currently, 28 percent of global mobile media budgets are wasted on fraud, according to mobile marketing analytics AppsFlyer’s latest report. Meanwhile, 74 percent of that is conducted by ever more sophisticated and scalable fraud tactics, said the same report.

“Even advanced AI can be fooled at times,” said Karen Cohen, head of product marketing, at AppsFlyer. “That’s why it’s crucial that in addition to having automated fraud protection tools in place, marketers become well versed in the art of fraud and advanced fraud schemes, so the good guys can work together symbiotically to keep bad actors from harming the ecosystem.”

Here’s a primer on the core techniques used to generate CPM fraud.

General invalid traffic bot
Believe it or not, these are all good bots. That’s because GIVT bots are disclosed by the companies using them. For instance, Google has tons of bots on the web like spiders that crawl pages and organize its index. These are honest types of bots, because the companies using them disclose what they are. Non-human traffic and invalid traffic are the exact same thing, by the way; they’re just confusingly called the same thing.

Sophisticated Invalid traffic bot
This is the type to watch out for. SIVT is harder to detect and requires humans to properly analyze and identify, according to experts. Examples include hijacked devices, malware, and falsely identified viewable impressions.

Domain spoofing
The kind that sends premium publishers into a fury. It’s when a fake site masquerades as a bona fide publisher in order to trick buyers who bid on their impressions. The Financial Times, New York Times and News UK all cracked down hard on this in 2017. Ads.txt was invented to help with this. That said, some anti-fraud and security experts don’t think ads.txt is bulletproof, and that fraud is still occurring. “Ads.txt would work better if buyers bothered to check it,” said Fou. If the buyer sees a premium publisher in there, they need to look for the seller ID, not just the domain, he added. “The buyer needs to cross-check it’s definitely that publisher by looking at the seller IDs and cross-checking them with ESPN’s seller ID.”

Data center traffic
This is a low-entry point for fraudsters. Unlike malware fraudsters, this is cheap and relatively easy to do, according to Fou. This is where traffic originates from servers set up in a data center, rather than actual companies. It is made to look as though audiences are seeing the traffic generated when they aren’t. In order for a human to see an ad, they need a screen. But data centers simulate what an impression would look like, including details such as screen resolution for example — anything that makes it look like a browser. Mobile emulators do the same thing.

Fake device IDs
A big problem in mobile. Fake mobile devices create fake IDs — a random string of numbers and letters (called alphanumeric code) — designed to defeat frequency caps. Another type is the copying of real device IDs from human devices and replaying them so they escape detection by telecom providers, so they can’t determine fraudulent ones from their own.

Ghost sites
These are sites that don’t exist, like blank pages. A blank page with no content is set up, and some ad tech code added and pushed into a low-quality exchange to start generating money from fake impressions. Legitimate exchanges block this. But it’s hard to fully clamp down on because sometimes by the time the inventory gets to the end exchange it’s been through so many others that it’s harder to spot.

Redirect traffic
When pages are set to redirect to other pages in an infinite loop, in the process creating millions of fake impressions. Prolific on desktop and mobile. It’s a tricky one because marketers may feel insulted by the fact they have bot detection tools deployed on certain pages. But it’s the hidden pages being created by this redirected traffic that are the blind spots because anti-fraud tech can’t see them.

Infected/hijacked device malwareExperts say getting malware onto a human device is a really hard, expensive technique. The meth bot fraud scandal uncovered by WhiteOps is the type of malware fraud that causes issues. It is much harder to do than spinning up a mobile emulator or a data center. There are specialists that focus on curbing these kinds of schemes. It follows, then, that those interested in committing ad fraud resort to easier and cheaper techniques such as emulators and data centers, which are, therefore, more prolific.

Inventory misrepresentation
This is a big problem for video. Fairly common practice, and like a form of arbitrage. An example is taking a 300×250 banner ad slot bought cheaply, and stuffing in a video unit to sell it for a far higher CPM. Some exchanges have had to ban the format entirely on their platforms in order to get rid of it. Used to drive up yields fraudulently rather than quantity of fraudulent impressions.